Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Challenge renewal: Connection refused #268

Closed
cfxda opened this issue Oct 12, 2021 · 11 comments
Closed

Challenge renewal: Connection refused #268

cfxda opened this issue Oct 12, 2021 · 11 comments

Comments

@cfxda
Copy link

cfxda commented Oct 12, 2021

Hi icing,
I am currrently facing the following issue in testsetup with the the letsencrypt staging env:
When requesting the challenge verification(tls-alpn-01) it can happen that the host is not reachable from the letsencrypt staging
Resulting in an error:
ACME server authz: challenge 'invalid' for ***domain*** at https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/id . Exact response was: {"identifier":{"type":"dns","value":"***domain***"},"status":"invalid","expires":"2021-10-15T15:48:53Z","challenges":[{"type":"tls-alpn-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:connection","detail":"Connection refused","status":400},"url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/id/tCNB2g","token":"HIrAlkWbO-MVwsF-pp92geBF2iXlOt8KE0ZUgtyzG5Ut6w","validationRecord":[{"hostname":"***domain***","port":"443","addressesResolved":["ip"],"addressUsed":"ip"}],"validated":"2021-10-08T15:48:55Z"}]}

Mod md than starts a retry with the same challenge some minutes later ending in the exact same error message again.
Any ideas why? Might it be related to the boulder retry limitation "Boulder does not implement the ability to retry challenges or the Retry-After header"(https://github.com/letsencrypt/boulder/blob/master/docs/acme-divergences.md#section-82)

@icing
Copy link
Owner

icing commented Oct 12, 2021

I read this as lets encrypt is unable to open a connection to your host on port 443.

Apache will retry with increasing delays. Have you verified that your domain is reachable on that port from the public internet?

@cfxda
Copy link
Author

cfxda commented Oct 12, 2021

yes it might fail once (e.g. service is not properly up), but within the retries the letsencrypt staging domain always returns the first validation => which exact the same message. Only removal of the challenge and the staging folder will get me out of the situation.

@cfxda
Copy link
Author

cfxda commented Oct 14, 2021

Shouldn`t there be an alternative approach for acme CAs who dont support a retry? (https://community.letsencrypt.org/t/regarding-retrying-challenges/89606)

@icing
Copy link
Owner

icing commented Oct 14, 2021

I believe you have found a bug in the order check of the module. When it finds a previous order, it updates it from the server. When the server no longer knows about it, it creates a new order.

The it iterates over the domains to see where it needs to start challenges. On seeing the state "invalid" from a previous challenge, it reports an error and stops.

What it should do: it should check the previous order first for "invalid" domains and, if there are some, start a new order.

@icing
Copy link
Owner

icing commented Oct 14, 2021

Can you build a new version here from github to test a possible patch?

@cfxda
Copy link
Author

cfxda commented Oct 14, 2021

sure 👍

icing pushed a commit that referenced this issue Oct 14, 2021
…ing order

   with some invalid domains. Now, if such are seen in a previous order, a new
   order is created for a clean start over again. See #268.
@icing
Copy link
Owner

icing commented Oct 14, 2021

In master now. Hope it works for you.

@icing
Copy link
Owner

icing commented Oct 18, 2021

Let me know when you had time to verify this.

icing pushed a commit that referenced this issue Oct 19, 2021
----------------------------------------------------------------------------------------------------
 * `MDContactEmail` can now be specified inside a `<MDomain dnsname>` section.
 * Treating 401 HTTP status codes for orders like 403, since Sectigo
   seems to prefer that for accessing oders from other accounts.
 * When retrieving certificate chains, try to read the repsonse even
   if the HTTP Content-Type is unrecognized (Sectigo workaround).
 * Fixed the renewal process giving up every time on an already existing order
   with some invalid domains. Now, if such are seen in a previous order, a new
   order is created for a clean start over again. See #268.
 * Fixed a mixup in md-status handler when static certificate files and
   renewal was configured at the same time.
 * New: experimental support for ACME External Account Binding (EAB).
   Use the new directive `MDExternalAccountBinding` to provide the
   server with the value for key identifier and hmac as provided by
   your CA.
   While working on some servers, EAB handling is not uniform across CAs.
   First tests with a Sectigo Certificate Manager in demo mode are
   successful. But ZeroSSL, for example, seems to regard EAB values as
   a one-time-use-only thing, which makes them fail if you create a
   seconde account or retry the creation of the first account with
   the same EAB.
@cfxda
Copy link
Author

cfxda commented Oct 19, 2021

Sorry took a bit longer. It solves my problem, but maybe introduces a potential new one:
Through the new order the error counter is reset as well as the timing:
Example log "encountered error for the 1. time, next run in 2 seconds"
This will lead to a high risk spamming the CA with tons of request before e.g. fixing the connection issue.
Would it be possible to start a new "throttled order"?

@icing
Copy link
Owner

icing commented Oct 20, 2021

Hmm, thinking on how to make a test case for that.

@icing
Copy link
Owner

icing commented Oct 20, 2021

Added test case 741_001 to verify this and indeed, the error counter was reset unnecessarily. Should be fixed now in master.

asfgit pushed a commit to apache/httpd that referenced this issue Oct 29, 2021
    - Added support for ACME External Account Binding (EAB).
      Use the new directive `MDExternalAccountBinding` to provide the
      server with the value for key identifier and hmac as provided by
      your CA.
      While working on some servers, EAB handling is not uniform
      across CAs. First tests with a Sectigo Certificate Manager in
      demo mode are successful. But ZeroSSL, for example, seems to
      regard EAB values as a one-time-use-only thing, which makes them
      fail if you create a seconde account or retry the creation of the
      first account with the same EAB.
    - The directive 'MDCertificateAuthority' now checks if its parameter
      is a http/https url or one of a set of known names. Those are
      'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test'
      for now and they are not case-sensitive.
      The default of LetsEncrypt is unchanged.
    - `MDContactEmail` can now be specified inside a `<MDomain dnsname>`
      section.
    - Treating 401 HTTP status codes for orders like 403, since some ACME
      servers seem to prefer that for accessing oders from other accounts.
    - When retrieving certificate chains, try to read the repsonse even
      if the HTTP Content-Type is unrecognized.
    - Fixed a bug that reset the error counter of a certificate renewal
      and prevented the increasing delays in further attempts.
    - Fixed the renewal process giving up every time on an already existing
      order with some invalid domains. Now, if such are seen in a previous
      order, a new order is created for a clean start over again.
      See <icing/mod_md#268>
    - Fixed a mixup in md-status handler when static certificate files
      and renewal was configured at the same time.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1894610 13f79535-47bb-0310-9956-ffa450edef68
@cfxda cfxda closed this as completed Nov 10, 2021
asfgit pushed a commit to apache/httpd that referenced this issue Nov 24, 2021
  *) mod_md: Fix memory leak in case of failures to load the private key.
     PR 65620 [ Filipe Casal <filipe.casal@trailofbits.com> ]
  *) mod_md: adding v2.4.8 with the following changes
    - Added support for ACME External Account Binding (EAB).
      Use the new directive `MDExternalAccountBinding` to provide the
      server with the value for key identifier and hmac as provided by
      your CA.
      While working on some servers, EAB handling is not uniform
      across CAs. First tests with a Sectigo Certificate Manager in
      demo mode are successful. But ZeroSSL, for example, seems to
      regard EAB values as a one-time-use-only thing, which makes them
      fail if you create a seconde account or retry the creation of the
      first account with the same EAB.
    - The directive 'MDCertificateAuthority' now checks if its parameter
      is a http/https url or one of a set of known names. Those are
      'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test'
      for now and they are not case-sensitive.
      The default of LetsEncrypt is unchanged.
    - `MDContactEmail` can now be specified inside a `<MDomain dnsname>`
      section.
    - Treating 401 HTTP status codes for orders like 403, since some ACME
      servers seem to prefer that for accessing oders from other accounts.
    - When retrieving certificate chains, try to read the repsonse even
      if the HTTP Content-Type is unrecognized.
    - Fixed a bug that reset the error counter of a certificate renewal
      and prevented the increasing delays in further attempts.
    - Fixed the renewal process giving up every time on an already existing
      order with some invalid domains. Now, if such are seen in a previous
      order, a new order is created for a clean start over again.
      See <icing/mod_md#268>
    - Fixed a mixup in md-status handler when static certificate files
      and renewal was configured at the same time.
  *) mod_md: values for External Account Binding (EAB) can
     now also be configured to be read from a separate JSON
     file. This allows to keep server configuration permissions
     world readable without exposing secrets.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1895289 13f79535-47bb-0310-9956-ffa450edef68
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Dec 21, 2021
Changes with Apache 2.4.52

*) SECURITY: CVE-2021-44790: Possible buffer overflow when parsing
   multipart content in mod_lua of Apache HTTP Server 2.4.51 and
   earlier (cve.mitre.org)
   A carefully crafted request body can cause a buffer overflow in
   the mod_lua multipart parser (r:parsebody() called from Lua
   scripts).
   The Apache httpd team is not aware of an exploit for the
   vulnerabilty though it might be possible to craft one.
   This issue affects Apache HTTP Server 2.4.51 and earlier.
   Credits: Chamal

*) SECURITY: CVE-2021-44224: Possible NULL dereference or SSRF in
   forward proxy configurations in Apache HTTP Server 2.4.51 and
   earlier (cve.mitre.org)
   A crafted URI sent to httpd configured as a forward proxy
   (ProxyRequests on) can cause a crash (NULL pointer dereference)
   or, for configurations mixing forward and reverse proxy
   declarations, can allow for requests to be directed to a
   declared Unix Domain Socket endpoint (Server Side Request
   Forgery).
   This issue affects Apache HTTP Server 2.4.7 up to 2.4.51
   (included).
   Credits: ćź�于éź
   TengMA(@te3t123)

*) http: Enforce that fully qualified uri-paths not to be forward-proxied
   have an http(s) scheme, and that the ones to be forward proxied have a
   hostname, per HTTP specifications.

*) OpenSSL autoconf detection improvement: pick up openssl.pc in the
   specified openssl path.

*) mod_proxy_connect, mod_proxy: Do not change the status code after we
   already sent it to the client.

*) mod_http: Correctly sent a 100 Continue status code when sending an interim
   response as result of an Expect: 100-Continue in the request and not the
   current status code of the request.

*) mod_dav: Some DAV extensions, like CalDAV, specify both document
   elements and property elements that need to be taken into account
   when generating a property. The document element and property element
   are made available in the dav_liveprop_elem structure by calling
   dav_get_liveprop_element().

*) mod_dav: Add utility functions dav_validate_root_ns(),
   dav_find_child_ns(), dav_find_next_ns(), dav_find_attr_ns() and
   dav_find_attr() so that other modules get to play too.

*) mpm_event: Restart stopping of idle children after a load peak.

*) mod_http2: fixes 2 regressions in server limit handling.
   1. When reaching server limits, such as MaxRequestsPerChild, the
      HTTP/2 connection send a GOAWAY frame much too early on new
      connections, leading to invalid protocol state and a client
      failing the request.
      The module now initializes the HTTP/2 protocol correctly and
      allows the client to submit one request before the shutdown
      via a GOAWAY frame is being announced.
   2. A regression in v1.15.24 was fixed that could lead to httpd
      child processes not being terminated on a graceful reload or
      when reaching MaxConnectionsPerChild. When unprocessed h2
      requests were queued at the time, these could stall.
      See <icing/mod_h2#212>.

*) mod_ssl: Add build support for OpenSSL v3.

*) mod_proxy_connect: Honor the smallest of the backend or client timeout
   while tunneling.

*) mod_proxy: SetEnv proxy-nohalfclose (or alike) allows to disable TCP
   half-close forwarding when tunneling protocols.

*) core: Be safe with ap_lingering_close() called with a socket NULL-ed by
   a third-party module.

*) mod_md: Fix memory leak in case of failures to load the private key.

*) mod_md: adding v2.4.8 with the following changes
  - Added support for ACME External Account Binding (EAB).
    Use the new directive `MDExternalAccountBinding` to provide the
    server with the value for key identifier and hmac as provided by
    your CA.
    While working on some servers, EAB handling is not uniform
    across CAs. First tests with a Sectigo Certificate Manager in
    demo mode are successful. But ZeroSSL, for example, seems to
    regard EAB values as a one-time-use-only thing, which makes them
    fail if you create a seconde account or retry the creation of the
    first account with the same EAB.
  - The directive 'MDCertificateAuthority' now checks if its parameter
    is a http/https url or one of a set of known names. Those are
    'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test'
    for now and they are not case-sensitive.
    The default of LetsEncrypt is unchanged.
  - `MDContactEmail` can now be specified inside a `<MDomain dnsname>`
    section.
  - Treating 401 HTTP status codes for orders like 403, since some ACME
    servers seem to prefer that for accessing oders from other accounts.
  - When retrieving certificate chains, try to read the repsonse even
    if the HTTP Content-Type is unrecognized.
  - Fixed a bug that reset the error counter of a certificate renewal
    and prevented the increasing delays in further attempts.
  - Fixed the renewal process giving up every time on an already existing
    order with some invalid domains. Now, if such are seen in a previous
    order, a new order is created for a clean start over again.
    See <icing/mod_md#268>
  - Fixed a mixup in md-status handler when static certificate files
    and renewal was configured at the same time.

*) mod_md: values for External Account Binding (EAB) can
   now also be configured to be read from a separate JSON
   file. This allows to keep server configuration permissions
   world readable without exposing secrets.

*) mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO.
kraj pushed a commit to YoeDistro/meta-openembedded that referenced this issue Dec 27, 2021
Changelog:
==========
 *) SECURITY: CVE-2021-44790: Possible buffer overflow when parsing
     multipart content in mod_lua of Apache HTTP Server 2.4.51 and
     earlier (cve.mitre.org)
     A carefully crafted request body can cause a buffer overflow in
     the mod_lua multipart parser (r:parsebody() called from Lua
     scripts).
     The Apache httpd team is not aware of an exploit for the
     vulnerabilty though it might be possible to craft one.
     This issue affects Apache HTTP Server 2.4.51 and earlier.

  *) SECURITY: CVE-2021-44224: Possible NULL dereference or SSRF in
     forward proxy configurations in Apache HTTP Server 2.4.51 and
     earlier (cve.mitre.org)
     A crafted URI sent to httpd configured as a forward proxy
     (ProxyRequests on) can cause a crash (NULL pointer dereference)
     or, for configurations mixing forward and reverse proxy
     declarations, can allow for requests to be directed to a
     declared Unix Domain Socket endpoint (Server Side Request
     Forgery).
     This issue affects Apache HTTP Server 2.4.7 up to 2.4.51
     (included).

  *) http: Enforce that fully qualified uri-paths not to be forward-proxied
     have an http(s) scheme, and that the ones to be forward proxied have a
     hostname, per HTTP specifications.

  *) OpenSSL autoconf detection improvement: pick up openssl.pc in the
     specified openssl path.

  *) mod_proxy_connect, mod_proxy: Do not change the status code after we
     already sent it to the client.

  *) mod_http: Correctly sent a 100 Continue status code when sending an interim
     response as result of an Expect: 100-Continue in the request and not the
     current status code of the request. PR 65725

  *) mod_dav: Some DAV extensions, like CalDAV, specify both document
     elements and property elements that need to be taken into account
     when generating a property. The document element and property element
     are made available in the dav_liveprop_elem structure by calling
     dav_get_liveprop_element().

  *) mod_dav: Add utility functions dav_validate_root_ns(),
     dav_find_child_ns(), dav_find_next_ns(), dav_find_attr_ns() and
     dav_find_attr() so that other modules get to play too.

  *) mpm_event: Restart stopping of idle children after a load peak. PR 65626.

  *) mod_http2: fixes 2 regressions in server limit handling.
     1. When reaching server limits, such as MaxRequestsPerChild, the
        HTTP/2 connection send a GOAWAY frame much too early on new
        connections, leading to invalid protocol state and a client
        failing the request. See PR65731.
        The module now initializes the HTTP/2 protocol correctly and
        allows the client to submit one request before the shutdown
        via a GOAWAY frame is being announced.
     2. A regression in v1.15.24 was fixed that could lead to httpd
        child processes not being terminated on a graceful reload or
        when reaching MaxConnectionsPerChild. When unprocessed h2
        requests were queued at the time, these could stall.
        See <icing/mod_h2#212>.

  *) mod_ssl: Add build support for OpenSSL v3.

  *) mod_proxy_connect: Honor the smallest of the backend or client timeout
     while tunneling.

  *) mod_proxy: SetEnv proxy-nohalfclose (or alike) allows to disable TCP
     half-close forwarding when tunneling protocols.

  *) core: Be safe with ap_lingering_close() called with a socket NULL-ed by
     a third-party module.  PR 65627.

  *) mod_md: Fix memory leak in case of failures to load the private key.
     PR 65620

  *) mod_md: adding v2.4.8 with the following changes
    - Added support for ACME External Account Binding (EAB).
      Use the new directive `MDExternalAccountBinding` to provide the
      server with the value for key identifier and hmac as provided by
      your CA.
      While working on some servers, EAB handling is not uniform
      across CAs. First tests with a Sectigo Certificate Manager in
      demo mode are successful. But ZeroSSL, for example, seems to
      regard EAB values as a one-time-use-only thing, which makes them
      fail if you create a seconde account or retry the creation of the
      first account with the same EAB.
    - The directive 'MDCertificateAuthority' now checks if its parameter
      is a http/https url or one of a set of known names. Those are
      'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test'
      for now and they are not case-sensitive.
      The default of LetsEncrypt is unchanged.
    - `MDContactEmail` can now be specified inside a `<MDomain dnsname>`
      section.
    - Treating 401 HTTP status codes for orders like 403, since some ACME
      servers seem to prefer that for accessing oders from other accounts.
    - When retrieving certificate chains, try to read the repsonse even
      if the HTTP Content-Type is unrecognized.
    - Fixed a bug that reset the error counter of a certificate renewal
      and prevented the increasing delays in further attempts.
    - Fixed the renewal process giving up every time on an already existing
      order with some invalid domains. Now, if such are seen in a previous
      order, a new order is created for a clean start over again.
      See <icing/mod_md#268>
    - Fixed a mixup in md-status handler when static certificate files
      and renewal was configured at the same time.

  *) mod_md: values for External Account Binding (EAB) can
     now also be configured to be read from a separate JSON
     file. This allows to keep server configuration permissions
     world readable without exposing secrets.

  *) mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO.
     PR 65616.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
halstead pushed a commit to openembedded/meta-openembedded that referenced this issue Jan 15, 2022
Changelog:
==========
 *) SECURITY: CVE-2021-44790: Possible buffer overflow when parsing
     multipart content in mod_lua of Apache HTTP Server 2.4.51 and
     earlier (cve.mitre.org)
     A carefully crafted request body can cause a buffer overflow in
     the mod_lua multipart parser (r:parsebody() called from Lua
     scripts).
     The Apache httpd team is not aware of an exploit for the
     vulnerabilty though it might be possible to craft one.
     This issue affects Apache HTTP Server 2.4.51 and earlier.

  *) SECURITY: CVE-2021-44224: Possible NULL dereference or SSRF in
     forward proxy configurations in Apache HTTP Server 2.4.51 and
     earlier (cve.mitre.org)
     A crafted URI sent to httpd configured as a forward proxy
     (ProxyRequests on) can cause a crash (NULL pointer dereference)
     or, for configurations mixing forward and reverse proxy
     declarations, can allow for requests to be directed to a
     declared Unix Domain Socket endpoint (Server Side Request
     Forgery).
     This issue affects Apache HTTP Server 2.4.7 up to 2.4.51
     (included).

  *) http: Enforce that fully qualified uri-paths not to be forward-proxied
     have an http(s) scheme, and that the ones to be forward proxied have a
     hostname, per HTTP specifications.

  *) OpenSSL autoconf detection improvement: pick up openssl.pc in the
     specified openssl path.

  *) mod_proxy_connect, mod_proxy: Do not change the status code after we
     already sent it to the client.

  *) mod_http: Correctly sent a 100 Continue status code when sending an interim
     response as result of an Expect: 100-Continue in the request and not the
     current status code of the request. PR 65725

  *) mod_dav: Some DAV extensions, like CalDAV, specify both document
     elements and property elements that need to be taken into account
     when generating a property. The document element and property element
     are made available in the dav_liveprop_elem structure by calling
     dav_get_liveprop_element().

  *) mod_dav: Add utility functions dav_validate_root_ns(),
     dav_find_child_ns(), dav_find_next_ns(), dav_find_attr_ns() and
     dav_find_attr() so that other modules get to play too.

  *) mpm_event: Restart stopping of idle children after a load peak. PR 65626.

  *) mod_http2: fixes 2 regressions in server limit handling.
     1. When reaching server limits, such as MaxRequestsPerChild, the
        HTTP/2 connection send a GOAWAY frame much too early on new
        connections, leading to invalid protocol state and a client
        failing the request. See PR65731.
        The module now initializes the HTTP/2 protocol correctly and
        allows the client to submit one request before the shutdown
        via a GOAWAY frame is being announced.
     2. A regression in v1.15.24 was fixed that could lead to httpd
        child processes not being terminated on a graceful reload or
        when reaching MaxConnectionsPerChild. When unprocessed h2
        requests were queued at the time, these could stall.
        See <icing/mod_h2#212>.

  *) mod_ssl: Add build support for OpenSSL v3.

  *) mod_proxy_connect: Honor the smallest of the backend or client timeout
     while tunneling.

  *) mod_proxy: SetEnv proxy-nohalfclose (or alike) allows to disable TCP
     half-close forwarding when tunneling protocols.

  *) core: Be safe with ap_lingering_close() called with a socket NULL-ed by
     a third-party module.  PR 65627.

  *) mod_md: Fix memory leak in case of failures to load the private key.
     PR 65620

  *) mod_md: adding v2.4.8 with the following changes
    - Added support for ACME External Account Binding (EAB).
      Use the new directive `MDExternalAccountBinding` to provide the
      server with the value for key identifier and hmac as provided by
      your CA.
      While working on some servers, EAB handling is not uniform
      across CAs. First tests with a Sectigo Certificate Manager in
      demo mode are successful. But ZeroSSL, for example, seems to
      regard EAB values as a one-time-use-only thing, which makes them
      fail if you create a seconde account or retry the creation of the
      first account with the same EAB.
    - The directive 'MDCertificateAuthority' now checks if its parameter
      is a http/https url or one of a set of known names. Those are
      'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test'
      for now and they are not case-sensitive.
      The default of LetsEncrypt is unchanged.
    - `MDContactEmail` can now be specified inside a `<MDomain dnsname>`
      section.
    - Treating 401 HTTP status codes for orders like 403, since some ACME
      servers seem to prefer that for accessing oders from other accounts.
    - When retrieving certificate chains, try to read the repsonse even
      if the HTTP Content-Type is unrecognized.
    - Fixed a bug that reset the error counter of a certificate renewal
      and prevented the increasing delays in further attempts.
    - Fixed the renewal process giving up every time on an already existing
      order with some invalid domains. Now, if such are seen in a previous
      order, a new order is created for a clean start over again.
      See <icing/mod_md#268>
    - Fixed a mixup in md-status handler when static certificate files
      and renewal was configured at the same time.

  *) mod_md: values for External Account Binding (EAB) can
     now also be configured to be read from a separate JSON
     file. This allows to keep server configuration permissions
     world readable without exposing secrets.

  *) mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO.
     PR 65616.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit ea76fc6)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
halstead pushed a commit to openembedded/meta-openembedded that referenced this issue Jan 27, 2022
Changelog:
==========
 *) SECURITY: CVE-2021-44790: Possible buffer overflow when parsing
     multipart content in mod_lua of Apache HTTP Server 2.4.51 and
     earlier (cve.mitre.org)
     A carefully crafted request body can cause a buffer overflow in
     the mod_lua multipart parser (r:parsebody() called from Lua
     scripts).
     The Apache httpd team is not aware of an exploit for the
     vulnerabilty though it might be possible to craft one.
     This issue affects Apache HTTP Server 2.4.51 and earlier.

  *) SECURITY: CVE-2021-44224: Possible NULL dereference or SSRF in
     forward proxy configurations in Apache HTTP Server 2.4.51 and
     earlier (cve.mitre.org)
     A crafted URI sent to httpd configured as a forward proxy
     (ProxyRequests on) can cause a crash (NULL pointer dereference)
     or, for configurations mixing forward and reverse proxy
     declarations, can allow for requests to be directed to a
     declared Unix Domain Socket endpoint (Server Side Request
     Forgery).
     This issue affects Apache HTTP Server 2.4.7 up to 2.4.51
     (included).

  *) http: Enforce that fully qualified uri-paths not to be forward-proxied
     have an http(s) scheme, and that the ones to be forward proxied have a
     hostname, per HTTP specifications.

  *) OpenSSL autoconf detection improvement: pick up openssl.pc in the
     specified openssl path.

  *) mod_proxy_connect, mod_proxy: Do not change the status code after we
     already sent it to the client.

  *) mod_http: Correctly sent a 100 Continue status code when sending an interim
     response as result of an Expect: 100-Continue in the request and not the
     current status code of the request. PR 65725

  *) mod_dav: Some DAV extensions, like CalDAV, specify both document
     elements and property elements that need to be taken into account
     when generating a property. The document element and property element
     are made available in the dav_liveprop_elem structure by calling
     dav_get_liveprop_element().

  *) mod_dav: Add utility functions dav_validate_root_ns(),
     dav_find_child_ns(), dav_find_next_ns(), dav_find_attr_ns() and
     dav_find_attr() so that other modules get to play too.

  *) mpm_event: Restart stopping of idle children after a load peak. PR 65626.

  *) mod_http2: fixes 2 regressions in server limit handling.
     1. When reaching server limits, such as MaxRequestsPerChild, the
        HTTP/2 connection send a GOAWAY frame much too early on new
        connections, leading to invalid protocol state and a client
        failing the request. See PR65731.
        The module now initializes the HTTP/2 protocol correctly and
        allows the client to submit one request before the shutdown
        via a GOAWAY frame is being announced.
     2. A regression in v1.15.24 was fixed that could lead to httpd
        child processes not being terminated on a graceful reload or
        when reaching MaxConnectionsPerChild. When unprocessed h2
        requests were queued at the time, these could stall.
        See <icing/mod_h2#212>.

  *) mod_ssl: Add build support for OpenSSL v3.

  *) mod_proxy_connect: Honor the smallest of the backend or client timeout
     while tunneling.

  *) mod_proxy: SetEnv proxy-nohalfclose (or alike) allows to disable TCP
     half-close forwarding when tunneling protocols.

  *) core: Be safe with ap_lingering_close() called with a socket NULL-ed by
     a third-party module.  PR 65627.

  *) mod_md: Fix memory leak in case of failures to load the private key.
     PR 65620

  *) mod_md: adding v2.4.8 with the following changes
    - Added support for ACME External Account Binding (EAB).
      Use the new directive `MDExternalAccountBinding` to provide the
      server with the value for key identifier and hmac as provided by
      your CA.
      While working on some servers, EAB handling is not uniform
      across CAs. First tests with a Sectigo Certificate Manager in
      demo mode are successful. But ZeroSSL, for example, seems to
      regard EAB values as a one-time-use-only thing, which makes them
      fail if you create a seconde account or retry the creation of the
      first account with the same EAB.
    - The directive 'MDCertificateAuthority' now checks if its parameter
      is a http/https url or one of a set of known names. Those are
      'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test'
      for now and they are not case-sensitive.
      The default of LetsEncrypt is unchanged.
    - `MDContactEmail` can now be specified inside a `<MDomain dnsname>`
      section.
    - Treating 401 HTTP status codes for orders like 403, since some ACME
      servers seem to prefer that for accessing oders from other accounts.
    - When retrieving certificate chains, try to read the repsonse even
      if the HTTP Content-Type is unrecognized.
    - Fixed a bug that reset the error counter of a certificate renewal
      and prevented the increasing delays in further attempts.
    - Fixed the renewal process giving up every time on an already existing
      order with some invalid domains. Now, if such are seen in a previous
      order, a new order is created for a clean start over again.
      See <icing/mod_md#268>
    - Fixed a mixup in md-status handler when static certificate files
      and renewal was configured at the same time.

  *) mod_md: values for External Account Binding (EAB) can
     now also be configured to be read from a separate JSON
     file. This allows to keep server configuration permissions
     world readable without exposing secrets.

  *) mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO.
     PR 65616.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit ea76fc6)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
halstead pushed a commit to openembedded/meta-openembedded that referenced this issue Feb 9, 2022
Changelog:
==========
 *) SECURITY: CVE-2021-44790: Possible buffer overflow when parsing
     multipart content in mod_lua of Apache HTTP Server 2.4.51 and
     earlier (cve.mitre.org)
     A carefully crafted request body can cause a buffer overflow in
     the mod_lua multipart parser (r:parsebody() called from Lua
     scripts).
     The Apache httpd team is not aware of an exploit for the
     vulnerabilty though it might be possible to craft one.
     This issue affects Apache HTTP Server 2.4.51 and earlier.

  *) SECURITY: CVE-2021-44224: Possible NULL dereference or SSRF in
     forward proxy configurations in Apache HTTP Server 2.4.51 and
     earlier (cve.mitre.org)
     A crafted URI sent to httpd configured as a forward proxy
     (ProxyRequests on) can cause a crash (NULL pointer dereference)
     or, for configurations mixing forward and reverse proxy
     declarations, can allow for requests to be directed to a
     declared Unix Domain Socket endpoint (Server Side Request
     Forgery).
     This issue affects Apache HTTP Server 2.4.7 up to 2.4.51
     (included).

  *) http: Enforce that fully qualified uri-paths not to be forward-proxied
     have an http(s) scheme, and that the ones to be forward proxied have a
     hostname, per HTTP specifications.

  *) OpenSSL autoconf detection improvement: pick up openssl.pc in the
     specified openssl path.

  *) mod_proxy_connect, mod_proxy: Do not change the status code after we
     already sent it to the client.

  *) mod_http: Correctly sent a 100 Continue status code when sending an interim
     response as result of an Expect: 100-Continue in the request and not the
     current status code of the request. PR 65725

  *) mod_dav: Some DAV extensions, like CalDAV, specify both document
     elements and property elements that need to be taken into account
     when generating a property. The document element and property element
     are made available in the dav_liveprop_elem structure by calling
     dav_get_liveprop_element().

  *) mod_dav: Add utility functions dav_validate_root_ns(),
     dav_find_child_ns(), dav_find_next_ns(), dav_find_attr_ns() and
     dav_find_attr() so that other modules get to play too.

  *) mpm_event: Restart stopping of idle children after a load peak. PR 65626.

  *) mod_http2: fixes 2 regressions in server limit handling.
     1. When reaching server limits, such as MaxRequestsPerChild, the
        HTTP/2 connection send a GOAWAY frame much too early on new
        connections, leading to invalid protocol state and a client
        failing the request. See PR65731.
        The module now initializes the HTTP/2 protocol correctly and
        allows the client to submit one request before the shutdown
        via a GOAWAY frame is being announced.
     2. A regression in v1.15.24 was fixed that could lead to httpd
        child processes not being terminated on a graceful reload or
        when reaching MaxConnectionsPerChild. When unprocessed h2
        requests were queued at the time, these could stall.
        See <icing/mod_h2#212>.

  *) mod_ssl: Add build support for OpenSSL v3.

  *) mod_proxy_connect: Honor the smallest of the backend or client timeout
     while tunneling.

  *) mod_proxy: SetEnv proxy-nohalfclose (or alike) allows to disable TCP
     half-close forwarding when tunneling protocols.

  *) core: Be safe with ap_lingering_close() called with a socket NULL-ed by
     a third-party module.  PR 65627.

  *) mod_md: Fix memory leak in case of failures to load the private key.
     PR 65620

  *) mod_md: adding v2.4.8 with the following changes
    - Added support for ACME External Account Binding (EAB).
      Use the new directive `MDExternalAccountBinding` to provide the
      server with the value for key identifier and hmac as provided by
      your CA.
      While working on some servers, EAB handling is not uniform
      across CAs. First tests with a Sectigo Certificate Manager in
      demo mode are successful. But ZeroSSL, for example, seems to
      regard EAB values as a one-time-use-only thing, which makes them
      fail if you create a seconde account or retry the creation of the
      first account with the same EAB.
    - The directive 'MDCertificateAuthority' now checks if its parameter
      is a http/https url or one of a set of known names. Those are
      'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test'
      for now and they are not case-sensitive.
      The default of LetsEncrypt is unchanged.
    - `MDContactEmail` can now be specified inside a `<MDomain dnsname>`
      section.
    - Treating 401 HTTP status codes for orders like 403, since some ACME
      servers seem to prefer that for accessing oders from other accounts.
    - When retrieving certificate chains, try to read the repsonse even
      if the HTTP Content-Type is unrecognized.
    - Fixed a bug that reset the error counter of a certificate renewal
      and prevented the increasing delays in further attempts.
    - Fixed the renewal process giving up every time on an already existing
      order with some invalid domains. Now, if such are seen in a previous
      order, a new order is created for a clean start over again.
      See <icing/mod_md#268>
    - Fixed a mixup in md-status handler when static certificate files
      and renewal was configured at the same time.

  *) mod_md: values for External Account Binding (EAB) can
     now also be configured to be read from a separate JSON
     file. This allows to keep server configuration permissions
     world readable without exposing secrets.

  *) mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO.
     PR 65616.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit ea76fc6)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
jpuhlman pushed a commit to MontaVista-OpenSourceTechnology/meta-openembedded that referenced this issue Feb 15, 2022
Source: meta-openembedded
MR: 114119, 114125, 115838
Type: Security Fix
Disposition: Merged from meta-openembedded
ChangeID: 4735d66
Description:

Changelog:
==========
 *) SECURITY: CVE-2021-44790: Possible buffer overflow when parsing
     multipart content in mod_lua of Apache HTTP Server 2.4.51 and
     earlier (cve.mitre.org)
     A carefully crafted request body can cause a buffer overflow in
     the mod_lua multipart parser (r:parsebody() called from Lua
     scripts).
     The Apache httpd team is not aware of an exploit for the
     vulnerabilty though it might be possible to craft one.
     This issue affects Apache HTTP Server 2.4.51 and earlier.

  *) SECURITY: CVE-2021-44224: Possible NULL dereference or SSRF in
     forward proxy configurations in Apache HTTP Server 2.4.51 and
     earlier (cve.mitre.org)
     A crafted URI sent to httpd configured as a forward proxy
     (ProxyRequests on) can cause a crash (NULL pointer dereference)
     or, for configurations mixing forward and reverse proxy
     declarations, can allow for requests to be directed to a
     declared Unix Domain Socket endpoint (Server Side Request
     Forgery).
     This issue affects Apache HTTP Server 2.4.7 up to 2.4.51
     (included).

  *) http: Enforce that fully qualified uri-paths not to be forward-proxied
     have an http(s) scheme, and that the ones to be forward proxied have a
     hostname, per HTTP specifications.

  *) OpenSSL autoconf detection improvement: pick up openssl.pc in the
     specified openssl path.

  *) mod_proxy_connect, mod_proxy: Do not change the status code after we
     already sent it to the client.

  *) mod_http: Correctly sent a 100 Continue status code when sending an interim
     response as result of an Expect: 100-Continue in the request and not the
     current status code of the request. PR 65725

  *) mod_dav: Some DAV extensions, like CalDAV, specify both document
     elements and property elements that need to be taken into account
     when generating a property. The document element and property element
     are made available in the dav_liveprop_elem structure by calling
     dav_get_liveprop_element().

  *) mod_dav: Add utility functions dav_validate_root_ns(),
     dav_find_child_ns(), dav_find_next_ns(), dav_find_attr_ns() and
     dav_find_attr() so that other modules get to play too.

  *) mpm_event: Restart stopping of idle children after a load peak. PR 65626.

  *) mod_http2: fixes 2 regressions in server limit handling.
     1. When reaching server limits, such as MaxRequestsPerChild, the
        HTTP/2 connection send a GOAWAY frame much too early on new
        connections, leading to invalid protocol state and a client
        failing the request. See PR65731.
        The module now initializes the HTTP/2 protocol correctly and
        allows the client to submit one request before the shutdown
        via a GOAWAY frame is being announced.
     2. A regression in v1.15.24 was fixed that could lead to httpd
        child processes not being terminated on a graceful reload or
        when reaching MaxConnectionsPerChild. When unprocessed h2
        requests were queued at the time, these could stall.
        See <icing/mod_h2#212>.

  *) mod_ssl: Add build support for OpenSSL v3.

  *) mod_proxy_connect: Honor the smallest of the backend or client timeout
     while tunneling.

  *) mod_proxy: SetEnv proxy-nohalfclose (or alike) allows to disable TCP
     half-close forwarding when tunneling protocols.

  *) core: Be safe with ap_lingering_close() called with a socket NULL-ed by
     a third-party module.  PR 65627.

  *) mod_md: Fix memory leak in case of failures to load the private key.
     PR 65620

  *) mod_md: adding v2.4.8 with the following changes
    - Added support for ACME External Account Binding (EAB).
      Use the new directive `MDExternalAccountBinding` to provide the
      server with the value for key identifier and hmac as provided by
      your CA.
      While working on some servers, EAB handling is not uniform
      across CAs. First tests with a Sectigo Certificate Manager in
      demo mode are successful. But ZeroSSL, for example, seems to
      regard EAB values as a one-time-use-only thing, which makes them
      fail if you create a seconde account or retry the creation of the
      first account with the same EAB.
    - The directive 'MDCertificateAuthority' now checks if its parameter
      is a http/https url or one of a set of known names. Those are
      'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test'
      for now and they are not case-sensitive.
      The default of LetsEncrypt is unchanged.
    - `MDContactEmail` can now be specified inside a `<MDomain dnsname>`
      section.
    - Treating 401 HTTP status codes for orders like 403, since some ACME
      servers seem to prefer that for accessing oders from other accounts.
    - When retrieving certificate chains, try to read the repsonse even
      if the HTTP Content-Type is unrecognized.
    - Fixed a bug that reset the error counter of a certificate renewal
      and prevented the increasing delays in further attempts.
    - Fixed the renewal process giving up every time on an already existing
      order with some invalid domains. Now, if such are seen in a previous
      order, a new order is created for a clean start over again.
      See <icing/mod_md#268>
    - Fixed a mixup in md-status handler when static certificate files
      and renewal was configured at the same time.

  *) mod_md: values for External Account Binding (EAB) can
     now also be configured to be read from a separate JSON
     file. This allows to keep server configuration permissions
     world readable without exposing secrets.

  *) mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO.
     PR 65616.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit ea76fc6)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
amstewart pushed a commit to ni/meta-openembedded that referenced this issue May 2, 2022
Changelog:
==========
 *) SECURITY: CVE-2021-44790: Possible buffer overflow when parsing
     multipart content in mod_lua of Apache HTTP Server 2.4.51 and
     earlier (cve.mitre.org)
     A carefully crafted request body can cause a buffer overflow in
     the mod_lua multipart parser (r:parsebody() called from Lua
     scripts).
     The Apache httpd team is not aware of an exploit for the
     vulnerabilty though it might be possible to craft one.
     This issue affects Apache HTTP Server 2.4.51 and earlier.

  *) SECURITY: CVE-2021-44224: Possible NULL dereference or SSRF in
     forward proxy configurations in Apache HTTP Server 2.4.51 and
     earlier (cve.mitre.org)
     A crafted URI sent to httpd configured as a forward proxy
     (ProxyRequests on) can cause a crash (NULL pointer dereference)
     or, for configurations mixing forward and reverse proxy
     declarations, can allow for requests to be directed to a
     declared Unix Domain Socket endpoint (Server Side Request
     Forgery).
     This issue affects Apache HTTP Server 2.4.7 up to 2.4.51
     (included).

  *) http: Enforce that fully qualified uri-paths not to be forward-proxied
     have an http(s) scheme, and that the ones to be forward proxied have a
     hostname, per HTTP specifications.

  *) OpenSSL autoconf detection improvement: pick up openssl.pc in the
     specified openssl path.

  *) mod_proxy_connect, mod_proxy: Do not change the status code after we
     already sent it to the client.

  *) mod_http: Correctly sent a 100 Continue status code when sending an interim
     response as result of an Expect: 100-Continue in the request and not the
     current status code of the request. PR 65725

  *) mod_dav: Some DAV extensions, like CalDAV, specify both document
     elements and property elements that need to be taken into account
     when generating a property. The document element and property element
     are made available in the dav_liveprop_elem structure by calling
     dav_get_liveprop_element().

  *) mod_dav: Add utility functions dav_validate_root_ns(),
     dav_find_child_ns(), dav_find_next_ns(), dav_find_attr_ns() and
     dav_find_attr() so that other modules get to play too.

  *) mpm_event: Restart stopping of idle children after a load peak. PR 65626.

  *) mod_http2: fixes 2 regressions in server limit handling.
     1. When reaching server limits, such as MaxRequestsPerChild, the
        HTTP/2 connection send a GOAWAY frame much too early on new
        connections, leading to invalid protocol state and a client
        failing the request. See PR65731.
        The module now initializes the HTTP/2 protocol correctly and
        allows the client to submit one request before the shutdown
        via a GOAWAY frame is being announced.
     2. A regression in v1.15.24 was fixed that could lead to httpd
        child processes not being terminated on a graceful reload or
        when reaching MaxConnectionsPerChild. When unprocessed h2
        requests were queued at the time, these could stall.
        See <icing/mod_h2#212>.

  *) mod_ssl: Add build support for OpenSSL v3.

  *) mod_proxy_connect: Honor the smallest of the backend or client timeout
     while tunneling.

  *) mod_proxy: SetEnv proxy-nohalfclose (or alike) allows to disable TCP
     half-close forwarding when tunneling protocols.

  *) core: Be safe with ap_lingering_close() called with a socket NULL-ed by
     a third-party module.  PR 65627.

  *) mod_md: Fix memory leak in case of failures to load the private key.
     PR 65620

  *) mod_md: adding v2.4.8 with the following changes
    - Added support for ACME External Account Binding (EAB).
      Use the new directive `MDExternalAccountBinding` to provide the
      server with the value for key identifier and hmac as provided by
      your CA.
      While working on some servers, EAB handling is not uniform
      across CAs. First tests with a Sectigo Certificate Manager in
      demo mode are successful. But ZeroSSL, for example, seems to
      regard EAB values as a one-time-use-only thing, which makes them
      fail if you create a seconde account or retry the creation of the
      first account with the same EAB.
    - The directive 'MDCertificateAuthority' now checks if its parameter
      is a http/https url or one of a set of known names. Those are
      'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test'
      for now and they are not case-sensitive.
      The default of LetsEncrypt is unchanged.
    - `MDContactEmail` can now be specified inside a `<MDomain dnsname>`
      section.
    - Treating 401 HTTP status codes for orders like 403, since some ACME
      servers seem to prefer that for accessing oders from other accounts.
    - When retrieving certificate chains, try to read the repsonse even
      if the HTTP Content-Type is unrecognized.
    - Fixed a bug that reset the error counter of a certificate renewal
      and prevented the increasing delays in further attempts.
    - Fixed the renewal process giving up every time on an already existing
      order with some invalid domains. Now, if such are seen in a previous
      order, a new order is created for a clean start over again.
      See <icing/mod_md#268>
    - Fixed a mixup in md-status handler when static certificate files
      and renewal was configured at the same time.

  *) mod_md: values for External Account Binding (EAB) can
     now also be configured to be read from a separate JSON
     file. This allows to keep server configuration permissions
     world readable without exposing secrets.

  *) mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO.
     PR 65616.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit ea76fc6)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants